Case Information
*1 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 1 of 31 PageID #:
1211 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF INDIANA INDIANAPOLIS DIVISION RACHEL JARRETT, individually and on )
behalf of all others similarly situated, )
)
Plaintiff, )
) v. ) No. 1:23-cv-01261-RLY-CSW )
UPPERLINE HEALTH, INC., d/b/a )
UPPERLINE HEALTH INDIANA, )
)
Defendant. ) ENTRY ON DEFENDANT'S MOTION TO DISMISS
Plaintiff Rachel Jarrett filed a Second Amended Class Action Complaint ("SAC") against Upperline Health, Inc. d/b/a Upperline Health Indiana on behalf of a putative class of similarly situated persons. Plaintiff alleges that Upperline non-consensually and deceptively embedded third-party source code on its publicly available website. She alleges this third-party source code, which is not visible to users of the website, causes transmissions of her personally identifying, private health information to third parties, including Facebook. Plaintiff filed this suit in federal court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). She asserts claims for negligence (Count I), negligence per se (Count II), invasion of privacy (Counts III & IV), implied breach of contract (Count V), unjust enrichment (Count VI), bailment (Count VII), violation of the Indiana Deceptive Consumer Sales Act (Count VIII), violation of the Electronic *2 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 2 of 31 PageID #:
1212 Communications Privacy Act (Counts IX-XI), and violation of the Computer Fraud and Abuse Act (Count XII).
Upperline now moves to dismiss Plaintiff's SAC under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted. For the reasons discussed below, the court finds Upperline's motion should be GRANTED in part and DENIED in part .
I. Background
Upperline is a for-profit healthcare corporation organized in Delaware with a principal place of business in Nashville, Tennessee. (Filing No. 85, SAC ¶ 34). It operates over a dozen podiatry clinics in Indiana and maintains a public website at https://www.upperlinehealthindiana.com (the "Website"). [1] ( Id . ¶ 10). Upperline encouraged its patients to use the Website to access a patient portal, pay bills, complete new patient paperwork, view Upperline's medical services, and find doctors and clinic locations. ( Id . ¶ 11).
According to the Second Amended Complaint, Upperline embedded tracking devices on its Website, which collected and transmitted Plaintiff's protected health *3 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 3 of 31 PageID #:
1213 information ("PHI") [2] and/or her personally identifiable information ("PII") [3] (collectively "Private Information") to Facebook, Google, and other third parties, without her knowledge or consent. ( Id. ¶ 10). A tracker is "a snippet of code embedded into a website that tracks information about its visitors and their website interactions." ( Id. ¶ 13).
One of the trackers Upperline installed on its Website from roughly January 28, 2021, through April 3, 2023, was Facebook's Meta Pixel. ( Id. ¶¶ 14, 74). By default, the Meta Pixel tracks information about a web user's device and the URLs and domains they visit. ( Id. ¶ 14). It can also be configured to track a visitor's search terms, button clicks, and form submissions. ( Id. ). Further, the Meta Pixel can link a user's website interactions with an individual's unique and persistent Facebook ID, "allowing a user's health information to be linked with their Facebook profile." ( Id. ). Upperline utilized the Meta Pixel to market its services and bolster its profits. ( ¶ 20). Facebook, in turn, utilizes data from its tracking technology to build data profiles for the purpose of creating *4 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 4 of 31 PageID #:
1214 targeted online advertisements and enhanced marketing services, which it sells for a profit. ( Id. ).
Plaintiff resides in Kokomo, Indiana, and was a patient of Upperline from April to October 2022. ( Id. ¶ 111 ). During that time, she alleges she accessed the Website "somewhere between five and ten times" to schedule appointments and to access the patient portal to send messages to her doctor. ( Id . ¶¶ 111, 115). Plaintiff reasonably expected that her online communications with Upperline were confidential, solely between herself and Upperline, and, as such, would not be transmitted to third parties. ( Id. ¶ 116).
Plaintiff alleges that, through utilization of the Facebook Meta Pixel, Upperline unlawfully disclosed her Private Information, including her identity, location, patient status, health conditions and the treatment she sought, and the names of the medical providers she searched for and viewed, to Facebook without her knowledge or consent. ( Id. ¶¶ 118, 125, 127). Plaintiff claims that since using Upperline's Website, she has been "targeted by health-related online advertisements" on her Facebook page, including podiatry-related advertising, and "has even received a massive shipment of braces and casts, with no return address." ( Id. ¶¶ 120-21, 129(b)).
Upperline does not provide its patients with any privacy policies, nor discloses that their usage of its Website is not private or that the Website contains Meta Pixel or other tracking technologies to its patients. ( Id. ¶ 70). Plaintiff first discovered Upperline was using the Meta Pixel and other tracking technologies to gather and disclose her Private Information in October 2023. ( ¶ 124).
Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 5 of 31 PageID #:
1215 All other allegations necessary to resolve this motion will be addressed in the Discussion Section.
II. Legal Standard
Pursuant to Federal Rule of Civil Procedure 12(b)(6), a party may move to dismiss a pleading for failure to state a claim upon which relief can be granted. To survive a motion to dismiss, the claim "must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Bell Atl. v. Twombly , 550 U.S. 544, 555 (2007); see also Indep. Tr. Corp. v. Stewart Info. Servs. Corp. , 665 F.3d 930, 935 (7th Cir. 2012) ("The complaint 'must actually suggest that the plaintiff has a right to relief, by providing allegations that raise a right to relief above the speculative level.'") (quoting Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs ., 536 F.3d 663, 668 (7th Cir. 2008)) . "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678 (2009) (quoting Twombly. , 550 U.S. at 556). In applying this standard, the court accepts all well-pleaded facts as true and draws all reasonable inferences in favor of the non-moving party. Mann v. Vogel, 707 F.3d 872, 877 (7th Cir. 2013).
III. Discussion
The court previously dismissed Plaintiff's First Amended Complaint on grounds that Plaintiff failed to plausibly allege that her use of Upperline's public Website resulted in the disclosure of her Private Information to Facebook. ( See Filing No. 83, Entry on Def.'s Mot. to Dismiss). Upperline now moves to dismiss Plaintiff's SAC on grounds that *6 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 6 of 31 PageID #:
1216 it fails to cure the deficiencies the court outlined in its Entry dismissing Plaintiff's First Amended Complaint. Consequently, the court addresses that issue first.
A. Plaintiff's Private Information Upperline argues that Plaintiff has once again failed to plausibly allege that she communicated her Private Information on Upperline's public Website to access the patient portal, schedule appointments, and to find a doctor, which was then transmitted to Facebook.
Allegations that a plaintiff searched and viewed publicly available information on a public website are insufficient to allege a disclosure of sensitive Private Information. See Cousin v. Sharp Healthcare , 681 F. Supp. 3d 1117, 1123 (S.D. Cal. 2023) (holding plaintiffs' allegations "that they used www.sharp.com, a public website, to research doctors, look for providers, and search for medical specialists" did not involve PHI because the information did not relate specifically to plaintiffs' health and was, instead, general health information) (citation modified); Smith v. Facebook Inc. , 262 F. Supp. 3d 943, 954–55 (N.D. Cal. 2017) (holding searches on publicly available healthcare websites do not relate to one's past, present, or future physical or mental health), aff'd , 745 F. App'x 8 (9th Cir. 2018). But the collection and transmission of information from a publicly available website "may be actionable . . . if the information disclosed demonstrates that the plaintiff's interactions plausibly relate to the provision of healthcare, or if the information connects a particular user to a particular healthcare provider (i.e., patient status)." Nienaber v. Overlake Hosp. Med. Ctr. , 733 F. Supp. 3d 1072, 1082 (W.D. Wash. 2024) (first citing Cousin v. Sharp Healthcare (Cousin II) , 702 *7 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 7 of 31 PageID #:
1217 F. Supp. 3d 967, 973 (S.D. Cal. 2023); and then citing In re Meta Pixel Healthcare Litig. , 647 F. Supp. 3d 778, 793 (N.D. Cal. 2022)). For example, in Cousin II , the district court held that plaintiffs' allegations showing they searched defendant's physician directory for doctors who specialize in their medical conditions and that one of the plaintiffs booked an appointment "plausibly convey[ed] information about a present medical condition and the provision of medical care covered by HIPAA." 702 F. Supp. 3d at 973. And in Meta Pixel , the district court found that "the act of clicking the 'Log in' button, when coupled with the MedStar Health patient portal URL and the other information transmitted by the Pixel, sufficiently identifies the website user as a patient," which is PHI under HIPAA. 647 F. Supp. 3d at 792.
Plaintiff alleges that Upperline has configured the Meta Pixel such that once a user has navigated to Upperline's public Website, it tracks a user's clicks on its Website. (SAC ¶ 76). For example, if a user clicks on the "Schedule an Appointment" button on Upperline's public Website, this action is shared with Facebook through a "SubscribedButtonClick" event. ( Id . ¶ 80). This event would reveal to Facebook that the user is a new or existing patient. ( Id. ). Upperline also shares its patients' status to Facebook through its transmission of SubscribedButtonClick events when they use Upperline's Website to log onto the patient portal or to pay their bills. ( Id. ¶ 77). The Pixel transmits other information too, such as the location of the appointment, the name of the doctor that a user researched on the Website, and the services a user researched on the Website. ( ¶¶ 89–91).
Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 8 of 31 PageID #:
1218 Here, Plaintiff alleges that she used the public Website to schedule appointments, find a podiatrist, and to access the patient portal. ( ¶ 113). The court finds it plausible that, at the very least, the information transmitted when she scheduled an appointment with a physician is information related to patient status. Such information is PHI under HIPAA because it is "individually identifiable" information that is "received by a health care provider" and that "[r]elates to . . . the provision of health care to an individual." 45 C.F.R. § 160.103; Cousin II , 702 F. Supp. 3d at 973. Accordingly, the court now turns to Plaintiff's claims.
B. Count I, Negligence Under Indiana law, common law negligence claims consist of three elements: "(1) duty owed to the plaintiff by defendant; (2) breach of duty by allowing conduct to fall below the applicable standard of care, and (3) compensable injury proximately caused by defendant's breach of duty." Bader v. Johnson , 732 N.E.2d 1212, 1217 (Ind. 2000).
In Count I, Plaintiff alleges Upperline was negligent by failing to reasonably protect her Private Information from disclosure to unauthorized third parties. Upperline argues it had no duty to safeguard Plaintiff's Private Information on its public Website; Plaintiff has not alleged a cognizable injury; and Plaintiff's claim is barred by the economic loss doctrine. Plaintiff disagrees.
1. Duty "[B]usinesses have the common-law 'duty to exercise ordinary and reasonable care in the conduct of their operations . . . for the safety of others whose injuries should reasonably have been foreseen or anticipated.'" WEOC, Inc. v. Niebauer , 226 N.E.3d *9 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 9 of 31 PageID #:
1219 771, 778 (Ind. 2024) (quoting Picadilly, Inc. v. Colvin , 519 N.E.2d 1217, 1220 (Ind. 1988)). "Whether a duty exists is generally a question of law for the court." Jaffri v. JP Morgan Chase Bank, N.A. , 26 N.E.3d 635, 638 (Ind. Ct. App. 2025).
Plaintiff alleges Upperline had a duty to protect her Private Information from disclosure and unauthorized transmittal to third parties. (SAC ¶ 200). To establish the element of duty, Plaintiff relies on data breach cases where, for example, an employer was subject to a cybersecurity incident in which hackers obtained the personal information of its employees, including social security numbers, driver's licenses/state ID numbers, and/or financial account information. Johnson v. Nice Pak Prods., Inc. , 736 F. Supp. 3d 639, 644 (S.D. Ind. 2024); McLaughlin v. Taylor Univ. , No. 1:23-cv-00527- HAB-SLC, 2024 WL 4274848, at *1 (N.D. Ind. Sept. 23, 2024). Those courts held that the employer has a duty to protect its employees' personally identifiable information in a reasonably secure manner. Johnson , 736 F. Supp. 3d at 647; McLaughlin , 2024 WL 4274848, at *5 (citing Paul v. Ardagh Glass, Inc. , No. 49D07-2209-CT-031302, 2023 WL 5153147, at *7 (Ind. Super. Ct. Jan. 23, 2023)); see also Webster v. Bradford-Scott Data, LLC , No. 1:24-cv-00117-HAB-SLC, 2025 WL 560917, at *7 (N.D. Ind. Feb. 20, 2025) (finding data and technology service provider had a duty to protect its customers' PII).
Upperline argues Plaintiff's case is different from Johnson and McLaughlin because in those cases, the victim employees were required to submit their personal information as a condition of employment, but here, Plaintiff was merely interacting with a public website. But Plaintiff alleges more than interacting with Upperline's Website. Plaintiff alleges that every time she clicked on certain buttons on the Website, such as the "Schedule an Appointment" button, the Meta Pixel installed on Upperline's public Website transmitted her Private Information to Facebook. (SAC ¶¶ 113, 118). Therefore, for purposes of this motion to dismiss, the court agrees with Plaintiff that Upperline had a duty to protect her Private Information in a reasonably secure manner.
2. Cognizable Injury Upperline frames the next issue as whether Plaintiff has sufficiently alleged a "cognizable" injury and not whether Plaintiff has sufficiently alleged a "compensable" injury. The two are different. A litigant must have a cognizable injury to have Article III standing to bring a claim. Raines v. Byrd , 521 U.S. 811, 819 (1997) (to have standing, "the alleged injury must be legally and judicially cognizable"); Morales v. Rust , 228 N.E.3d 1025, 1033 (Ind. 2024) ("Without a cognizable injury, a court cannot review the merits."). A litigant must have a compensable injury to recover damages for negligence and breach of contract. Bader , 732 N.E.2d at 1217; Pisciotta v. Old Nat'l Bankcorp , 499 F.3d 629, 635 (7th Cir. 2007) (applying Indiana law). Complicating matters, Johnson and McLaughlin conflated Article III standing's injury-in-fact requirement with compensable injuries. Johnson , 736 F. Supp. 3d at 648 (finding "no difference" between the inquiry for injury-in-fact and compensable damages for purposes of the case); McLaughlin , 2024 WL 4274848, at *2 (same). McLaughlin held that "[t]he time [4] and effort that data breach victims must expend" monitoring their credit card statements and other financial information are cognizable injuries but left open the question of whether those injuries could be compensated. 2024 WL 4274848, at *3 ("[T]he court finds that the increased risk of identity theft that Plaintiffs now face and the costs to mitigate those risks are cognizable injuries. The extent to which those injuries can be compensated remains to be seen."); Johnson , 736 F. Supp. 3d at 648 (same). Upperline has not brought a Rule 12(b)(1) motion for lack of standing, so the court presumes Upperline is moving to dismiss Plaintiff's negligence claim for lack of a compensable injury. But whether this issue is framed as an issue of standing or an issue of compensable injury (and consequent damages), the court finds Plaintiff has not plausibly alleged either.
In her Response, Plaintiff relies on Johnson and McLaughlin for the proposition that "the increased risk of harm [5] from the unauthorized disclosure of personal information and the costs to mitigate those risks are cognizable injuries under Indiana law." (Filing No. 98, Pl.'s Resp. at 12). But the "cognizable injuries" sustained by the plaintiffs in Johnson and McLaughlin —the increased risk of identity theft and fraud and the costs of monitoring credit card statements—are not the risks and injuries she claims. ( See SAC ¶ 129).
The harm Plaintiff alludes to in her Response may be her receipt of "targeted health-related advertisements on Facebook, reflecting her private medical information." (SAC ¶ 129(b); see also id. ¶ 207 (including as damages the "lost time and money incurred to mitigate and remediate the effects of use of their information, as to targeted advertisements that resulted from and were caused by [Upperline's] negligence"); Pl.'s Resp. at 4 ("As a direct result of [Upperline's] and the Third Parties' sale of her Private Information, Plaintiff receives targeted advertisements directly related to the treatment she sought from, and the Private Information she shared with, [Upperline].")). The court is not aware of an Indiana case holding targeted advertising is a compensable injury in this context. And, as pled, these advertisements were posted only on her Facebook feed. ( ¶ 129(b) ("Plaintiff now receives targeted health-related advertisements on Facebook, reflecting her private medical treatment information.")). In the absence of any further argument by Plaintiff on this topic, the court finds she has not plausibly alleged the damages element of her negligence claim. Therefore, Upperline's motion to dismiss her negligence claim is GRANTED . Having so found, the court need not discuss the economic loss doctrine.
C. Count II, Negligence Per Se
Under Indiana law, the "unexcused violation of a statute or ordinance constitutes negligence per se if the provision (1) protects the class of persons in which the plaintiff is included and (2) protects against the type of harm that has occurred as a result of the violation." Gresser v. Reliable Exterminators, Inc ., 160 N.E.3d 184, 190 (7th Cir. 2020) (citation modified).
In Count II, Plaintiff brings a claim for negligence per se, alleging Upperline violated its duties under Section 5 of the Federal Trade Commission Act ("FTCA"), [6] "by failing to use reasonable measures to protect Plaintiffs' . . . PII and PHI and not complying with applicable industry standards." (SAC ¶ 217). Upperline argues that the FTCA does not provide Plaintiff with a private right of action and that, in any event, her negligence per se claim is duplicative of her common law negligence claim and fails for the same reasons set forth above.
Private right of action claims and negligence per se claims, though similar, are distinct. Stachowski v. Est. of Radman , 95 N.E.3d 542, 545 (Ind. Ct. App. 2018). A private right of action assumes that an allegation of a "violation of a statute or ordinance gives rise to civil liability even in the absence of a common-law duty." Id. Negligence per se, by contrast, "assumes the existence of a common-law duty of reasonable care, and the court is asked to adopt the standard of conduct set forth in a statute or ordinance . . . as the standard of conduct required under that preexisting duty," such that "a violation of the statute or ordinance serves to satisfy the breach element of a negligence action." Id. at 544. Thus, the court agrees with Plaintiff: the fact that Plaintiff bases her claim on a statute that does not provide a private right of action does not foreclose her negligence per se claim. [7]
However, a plaintiff bringing a negligence per se claim "must still prove causation and damages just as in any other negligence claim." Am. United Life Ins. v. Douglas , 808 N.E.2d 690, 704 (Ind. Ct. App. 2004). In support of her negligence per se claim, Plaintiff alleges the same types of injuries as her common law negligence claim. ( Compare SAC ¶ 207, with id. ¶ 220; see also id. ¶ 129). Consequently, the court finds Plaintiff fails to plausibly plead a compensable injury. Upperline's motion to dismiss Plaintiff's negligence per se claim is therefore GRANTED .
D. Count IV, Invasion of Privacy—Intrusion by Seclusion "To establish a claim for invasion of privacy by intrusion, the plaintiff must demonstrate that there was an intrusion upon . . . her physical solitude or seclusion, such as by invading h[er] home or other quarters or by conducting an illegal search." Curry v. Whitaker , 943 N.E.2d 354, 357–58 (Ind. Ct. App. 2011) (citing Cullison v. Medley , 570 N.E.2d 27, 31 (Ind. 1991)). To rise to this level, "the intrusion must be something which would be offensive or objectionable to a reasonable person." (quoting Ledbetter v. Ross , 725 N.E.2d 120, 123 (Ind. Ct. App. 2000)).
In Count III, Plaintiff alleges Upperline "intentionally intruded upon [her] . . . privacy by secretly recording [her] usage of the Website, including the Private Information and confidential communications included therein." (SAC ¶ 231). Upperline argues this claim must be dismissed because: (1) there was no intentional intrusion into Plaintiff's privacy; (2) any alleged "intrusion" was not highly offensive; and See In re Sonic Corp. Customer Data Sec. Breach Litig. , No. 1:17-md-2807, 2020 WL 3577341, at *6 (N.D. Ohio July 1, 2020).
(3) there was no physical intrusion into her privacy. The court's analysis begins and ends with Upperline's third argument.
Indiana courts narrowly construe the tort of invasion of privacy upon intrusion by requiring the invasion be of the plaintiff's physical space. Fox v. Fransican All. Inc. , 204 N.E.3d 320, 327 (Ind. Ct. App. 2003) (citing Curry v. Whitaker , 943 N.E.2d 354, 358 (Ind. Ct. App. 2011) ("There have been no cases in Indiana in which a claim of intrusion was proven without physical contact or invasion of the plaintiff's physical space such as the plaintiff's home.")). "An example of an actionable intrusion upon seclusion includes peering into the windows of a private home." Curry , 943 N.E.2d at 358 (citation omitted).
Plaintiff maintains that Upperline used the Meta Pixel "to surreptitiously monitor and transmit what Plaintiff typed and read on her physical personal devices." (Pl.'s Resp. at 17). But an "intrusion" into one's personal devices—i.e., an iPhone, iPad, or laptop computer—is not an intrusion into one's private physical space. Therefore, the court finds this tort has no application to the facts she has alleged. Upperline's motion to dismiss Plaintiff's invasion of privacy by intrusion claim is GRANTED .
E. Count IV, Invasion of Privacy—Disclosure of Private Facts The tort of public disclosure of private facts consists of four elements: "(1) the information disclosed must be private in nature; (2) the disclosure must be made to the public; (3) the disclosure must be one that would be highly offensive to a reasonable person; and (4) the information disclosed is not of legitimate public concern." Cmty. Health Network, Inc. v. McKenzie , 185 N.E.3d 368, 382 (Ind. 2022).
In Count IV, Plaintiff alleges Upperline publicly disclosed her Private Information by sharing her Private Information with Facebook. Upperline argues it made no disclosure to the public at large.
The publicity element "means that the information must be communicated in a way that either reaches or is sure to reach the public in general or a large enough number of persons such that the matter is sure to become public knowledge." Id. Plaintiff has not plausibly alleged that her Private Information is sure to reach the public. Indeed, Plaintiff alleges her Private Information was transmitted to Facebook via the Meta Pixel, which resulted in her receiving health-related targeted advertisements on her personal Facebook feed.
Plaintiff's reliance on Z.D. v. Community Health Network, Inc. , for the proposition that disclosure to one person can satisfy the publicity element, is misleading. 217 N.E.3d 527 (Ind. 2023). In Z.D. , a letter containing the plaintiff's private medical information was mailed to a teenage acquaintance of plaintiff's daughter, and that teenager then posted the letter to Facebook. Id. at 530. Under these unique circumstances, the Indiana Supreme Court concluded that "disclosure to one person may, based on the facts and circumstances in a particular case, satisfy the publicity element." at 536. This makes sense in cases like Z.D. , where the disclosure was posted on the teenager's public Facebook page, which could then be shared by the teenager's Facebook friends. That is not the case here. The only person seeing the targeted advertisements is Plaintiff. Upperline's motion to dismiss Plaintiff's public disclosure of private facts claim is GRANTED .
F. Count V, Implied Contract
To succeed on a breach of contract claim in Indiana, a plaintiff must allege facts establishing: (1) a valid contract existed, (2) breach of that contract, and (3) damages caused by the breach. Trs. of Ind. Univ. v. Spiegel , 186 N.E.3d 1151, 1158 (Ind. Ct. App. 2022). In Count V, Plaintiff alleges Upperline breached an implied contract with Plaintiff by disclosing her Private Information to unauthorized third parties.
Both express and implied in fact contracts require an offer, acceptance, consideration, and a manifestation of mutual assent. Id. "They differ only in that an express contract is evidenced by spoken and written words while an implied contract is evidenced by the conduct of the parties." Id . (quoting DiMizio v. Romo , 756 N.E.2d 1018, 1024 (Ind. Ct. App. 2001))). Accordingly, "a contract implied in fact arises out of acts and conduct of the parties, coupled with a meeting of the minds and a clear intent of the parties in the agreement." McCart v. Chief Exec. Officer in Charge, Indep. Fed. Credit Union , 652 N.E.2d 80, 85 (Ind. Ct. App. 1995).
Plaintiff alleges that when she paid money and provided her Private Information to Upperline as consideration in exchange for medical services, she and Upperline entered into an implied contract pursuant to which Upperline agreed to safeguard and not disclose her Private Information. (SAC ¶ 253). "Under the terms of the contract, including the implied duty of good faith and the standards and policies governing [Upperline], such as HIPAA, . . . and industry standards, [Upperline] was obligated to protect Plaintiff's Private Information." (Pl.'s Resp. at 19). Upperline breached this implicit agreement by disclosing her Private Information to unauthorized third parties, including Facebook. (SAC ¶ 258).
Upperline argues Plaintiff has failed to plausibly allege the existence of a contract, mutual assent, consideration, and damages. Plaintiff disagrees and maintains her implied contract claim is well pleaded.
The court finds Plaintiff's theory of implied contract fails for two reasons. First, although Plaintiff's payment for medical services could be consideration for an agreement related to website security data, HIPAA already requires Upperline to protect PHI without receiving any consideration from Plaintiff or any other visitor on its Website. "[A] promise to do what one 'is already bound to do by law or by contract' is insufficient consideration." Peters v. Kendall , 999 N.E.2d 1030, 1035 (Ind. Ct. App. 2013) (quoting Ritenour v. Mathews , 42 Ind. 7, 14 (Ind. 1873)); see also In re Banner Health Data Breach Litig. , No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *3 (D. Ariz. Dec. 20, 2017) (concluding no contract was formed where the defendant "was already under a preexisting legal duty to protect [the plaintiff's] information" because the privacy policy could not "be read as a promise to do anything above and beyond what is already required by law"). Based on the allegations in Plaintiff's SAC, Upperline was already bound by HIPAA to protect patients' Private Information. Therefore, there can be no contract because Upperline did not provide consideration for the alleged contract.
Second, under Indiana law, compensable damages are an element of a breach of contract claim. Pisciotta , 499 F.3d at 635 (applying Indiana law to claims for negligence and breach of implied contract). Here, Plaintiff alleges her damages include "improper disclosure of [her] Private Information, lost benefit of [the] bargain, and lost value of [her] Private Information." (Pl.'s Resp. at 20 [8] ). The improper disclosure of Plaintiff's Private Information is not a compensable injury; instead, it serves as the basis for an invasion of privacy claim under Indiana law. See Z.D. , 217 N.E.3d at 532–33 ("Hoosiers may seek relief through an invasion of privacy claim based on the public disclosure of private facts when . . . their private information is wrongly disclosed."). The lost value of Plaintiff's Private Information is not a compensable injury either. Silha v. ACT, Inc. , 807 F.3d 169, 175 (7th Cir. 2015) (affirming district court's dismissal of plaintiff's claimed injury of diminished value of her private information for lack of Article III standing).
That leaves Plaintiff's claim for lost benefit of the bargain. "[A] party injured by a breach of contract may recover the benefit of h[er] bargain but is limited in h[er] recovery to the loss actually suffered." Sanchez v. Benkie , 799 N.E.2d 1099, 1102 (Ind. Ct. App. 2003) (quoting Fowler v. Campbell, 612 N.E.2d 596, 603 (Ind. Ct. App. 1993)). To the extent the "bargain" between Plaintiff and Upperline included not disclosing her Private Information, Plaintiff has not established how Upperline's alleged disclosure of her Private Information has deprived her of its value. Silha , 807 F.3d at 172. In other words, Plaintiff has not pled any actual "loss" arising from her use of Upperline's Website. Accordingly, Plaintiff's allegations fail to state a breach of implied contract claim. Upperline's motion to dismiss Plaintiff's breach of implied contract claim is GRANTED .
G. Count VI, Unjust Enrichment A claim for unjust enrichment, also referred to as quantum meruit or quasi- contract, requires a plaintiff to establish that "(1) [s]he rendered a measurable benefit to the defendant at the defendant's express or implied request; (2) [s]he expected payment from the defendant; and (3) allowing the defendant to retain the benefit without restitution would be unjust." Niebert v. Perdomo , 54 N.E.3d 1046, 1051 (Ind. Ct. App. 2016). In Count VI, Plaintiff alleges Upperline was unjustly enriched by the disclosure of her Private Information, which it used "for its own gain, for marketing purposes, and for sale or trade with third parties." (SAC ¶ 264).
Upperline argues Plaintiff has not pleaded any facts to show she expected payment from Upperline in exchange for using its free-to-access public Website. In response, Plaintiff insists she conferred a measurable benefit to Upperline because she paid for Upperline's medical services, which allegedly included privacy and data security protection. (Pl.'s Resp. at 22; see also SAC ¶ 122 ("Plaintiff paid for [Upperline's] healthcare services, which included reasonable privacy and data security protections for [her] Private Information.")).
Under Indiana law, a plaintiff cannot recover under a theory of unjust enrichment without showing that she conferred a benefit with the expectation of payment. Bayh v. Sonnenburg , 573 N.E.2d 398, 409 (Ind. 1991) (holding that where plaintiffs "labored without the expectation of payment, they cannot recover in quasi-contract"); Allgood v. General Motors Corp. , No. 1:02-cv-1077-DFH-TAB, 2006 WL 2669337, at *34 (S.D. Ind. Sept. 18, 2006) (granting defendant's motion for summary judgment on plaintiffs' claim for unjust enrichment in part because plaintiffs failed to show "that they offered such a benefit with any expectation of compensation"). Although Plaintiff claims Upperline used her Private Information for its own financial benefit, she pleads no facts suggesting she ever expected payment from Upperline in return for disclosing her Private Information on its Website. Upperline's motion to dismiss Plaintiff's unjust enrichment claim is therefore GRANTED .
H. Count VII, Bailment
In Indiana, "[a] bailment is an agreement, either express or implied, that one person will entrust personal property to another for a specific purpose and that when the purpose is accomplished the bailee will return the property or the bailor will reclaim it." Stubbs v. Hook , 467 N.E.2d 29, 31 (Ind. Ct. App. 1984) (citing 8 Am. Jur. 2d (Rev.) § 2 (1980)). A bailment takes place when: "(1) personal property belonging to a bailor is delivered into the exclusive possession of the bailee and (2) the property is accepted by the bailee." Winters v. Pike , 171 N.E.3d 690, 699 (Ind. Ct. App. 2021) (quoting Cox v. Stoughton Trailers, Inc. , 837 N.E.2d 1075, 1082 (Ind. Ct. App. 2005)).
In Count VII, Plaintiff alleges a claim for bailment under the theory that she transmitted her Private Information "in trust for a specific and sole purpose of receiving Upperline's medical treatment," but rather than use it "to facilitate [her] medical treatment," Upperline used it for "marketing and advertising purposes." (SAC ¶¶ 272, 274). Upperline contends Plaintiff's bailment theory cannot stand because she has not plausibly alleged she made a full transfer of her Private Information to Upperline such that Upperline had exclusive possession of it. Plaintiff disagrees, arguing her "data was exclusively possessed by Upperline on its server." (Pl.'s Resp. at 22–23).
Under Indiana law, "[f]or delivery to occur, there must be a full transfer of the property, either actually or constructively, to the sole custody of the bailee such as to exclude the owner/bailor and others." Winters , 171 N.E.3d at 699 (emphasis added). Here, Upperline did not have exclusive possession of her Private Information. Plaintiff was free to use her Personal Information as she pleased. Johnson , 736 F. Supp. 3d at 652 (holding no bailment existed because "Plaintiffs were free to use or disseminate their PII as they pleased and deliver it to limitless others"). Because Plaintiff was not excluded from her Private Information, there could be no plausible bailment relationship. See, e.g ., Albanese Confectionary Grp. Inc. v. Cwik , 165 N.E.3d 139, 148 n.8 (Ind. Ct. App. 2021) (holding that an employee's data on her phone was not subject to a bailment because her employer did not have "exclusive possession" of that information, but rather the employee "was able to freely manipulate the data herself"). Upperline's motion to dismiss Plaintiff's bailment claim is therefore GRANTED .
I. Count VIII, Indiana Deceptive Consumer Sales Act Under the Indiana Deceptive Consumer Sales Act ("IDCSA"), a "supplier may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction." Ind. Code § 24-5-0.5-3(a). The Act recognizes two types of deceptive acts: "uncured" deceptive acts, and "incurable" deceptive acts. Ind. Code § 24-5-0.5-2(a)(7)–(8).
In Count VIII, Plaintiff alleges an incurable deceptive act, which is defined as "a deceptive act done by a supplier as part of a scheme, artifice, or device with intent to defraud or mislead." Ind. Code § 24-5-0.5-2(a)(8). Because an incurable deceptive act sounds in fraud, McKinney v. State , 693 N.E.2d 65, 67 (Ind. 1998), the heightened pleading standard of Federal Rule of Civil Procedure 9(b) must be met, Borsellino v. Goldman Sachs Grp., Inc. , 477 F.3d 502, 507 (7th Cir. 2007); Gibson v. Eagle Fam. Foods Grp. LLC , No. 1:22-cv-02147-TWP-MKK, 2023 WL 5574625, at *5 (S.D. Ind. Aug. 29, 2023). This means the plaintiff must state "the identity of the person who made the misrepresentation, the time, place, and content of the misrepresentation, and the method by which the misrepresentation was communicated to the plaintiff." Vicom, Inc. v. Harbridge Merch. Servs., Inc., 20 F.3d 771, 777 (7th Cir. 1994). The plaintiff must also allege that she relied on the alleged deception. Ind. Code. § 24-5-0.5-4(a) (stating that only a "person relying upon an uncured or incurable deceptive act may bring an action for the damages actually suffered"). Upperline argues, among other things, that Plaintiff failed to plead her IDCSA claim with sufficient particularity.
Here, Plaintiff alleges Upperline encouraged patients to use its Website and online platforms and "made express and implied promises to protect Plaintiff's . . . Private Information." (SAC ¶¶ 27, 284(a)). Nevertheless, Upperline "fail[ed] to disclose the material fact that it discloses patients' Private Information to Facebook and potentially other third parties, . . . without their knowledge, consent, or authorization." ( ¶ 284(a)).
Citing McKinney , Plaintiff argues she has pleaded fraud with sufficient particularity because she "alleges facts to show 'a discrepancy between what was told to the consumer and the underlying facts.'" (Pl.'s Resp. at 24 (quoting McKinney , 693 N.E.2d at 71)). The language she quotes from McKinney merely stands for the proposition that a claim "sounds in fraud" under Indiana Trial Rule 9(B) (which is nearly identical to Federal Rule of Civil Procedure 9(b)) "if based on a discrepancy between what was told to the consumer and the underlying facts." McKinney , 693 N.E.2d at 71. In other words, her argument merely drives home the fact that Federal Rule of Civil Procedure 9(b) applies to her state law claim based on the court's diversity jurisdiction. Sumrall v. LeSea, Inc. , 104 F.4th 622, 629 (7th Cir. 2024) (noting "federal courts applying state law . . . use state substantive law and federal procedural rules").
Turning to Upperline's argument, the court agrees that Plaintiff has not pled her IDCSA claim with sufficient particularity under Rule 9(b). She fails to allege who (generally) at Upperline made the promise, when those promises were made, and how those promises were communicated to her. She also fails to plead whether those promises to keep her information private extended to her interactions on Upperline's Website. This omission is important because, as Plaintiff concedes, "Upperline did not provide a written Privacy Policy or Notice of Privacy Practices to users of its Website or otherwise notify Website users of its privacy policies and practices." (SAC ¶ 71). Finally, Plaintiff does not plead that she relied on Upperline's promises to her detriment. Jones v. Bridgepoint Educ., Inc. , No. 1:16-cv-338, 2017 WL 2438461 at *4, (N.D. Ind. June 5, 2017) (dismissing IDCSA claim because the plaintiff did not state any facts to show that "she expressly relied, to her detriment, on any statements or representations made by [the defendant's] phone solicitors"). Therefore, Upperline's motion to dismiss Plaintiff's IDCSA claim is GRANTED .
J. Count IX, Violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2511(1)
The Electronic Communications Privacy Act ("ECPA") provides that any person who "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication" may be subject to civil penalties, among other things. 18 U.S.C. § 2511(1)(a), (5)(a)(ii). The same is true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. Id . § 2511(1)(c), (d). The statute provides an exception if the person intercepting or causing an interception of a communication "is a party to the communication." Id. § 2511(2)(d). This "party exception" does not apply, however, if the "communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." § 2511(2)(d).
In Count IX, Plaintiff asserts Upperline violated § 2511(1)(a), (c), and (d) of the ECPA through the tracking technology installed on its Website. Upperline moves to dismiss this claim because (1) it was a party to the alleged communications on its Website; (2) the crime-tort exception does not apply; and (3) Plaintiff fails to plausibly show that the "contents" of any communications were disclosed to a third party. Plaintiff does not dispute that Upperline may invoke the party exception. Accordingly, the court turns to whether the crime-tort exception applies.
Plaintiff contends the crime-tort exception applies because HIPAA makes it a crime for a healthcare provider to "disclose a person's personally identifiable health information to a third party without express written authorization." (SAC ¶ 4); see also 42 U.S.C. § 1320d-6(a)(3) (stating HIPAA makes it a crime to, as relevant here, "knowingly . . . disclose[] individually identifiable health information to another person . . . without authorization"). She also contends the disclosure included the "contents" of her communications—defined as "any information concerning the substance, purport, or meaning of that communication," 18 U.S.C. § 2510(8)—to a third party. For the reasons explained in Section III.A. of this opinion, the court agrees with Plaintiff and finds she has plausibly alleged that Upperline's tracking technology on its Website disclosed her Private Information—i.e., the "contents" of her communications with Upperline— without her written authorization to a third party like Facebook.
Nevertheless, Upperline argues that Plaintiff has not sufficiently alleged that Upperline intercepted any communication "for the purpose of committing any criminal or tortious act." § 2511(2)(d) (emphasis added). As pled, Upperline argues, its purpose was not to violate HIPAA; it was simply to boost business from targeted advertising.
The SAC's basis for conferring criminal purpose is not merely the fact of Upperline's wiretapping—its interception of Plaintiff's communications with Upperline's Website. It is also that Upperline's business arrangement with Facebook reveals its intent to profit commercially from exploiting Private Information, in violation of HIPAA. These allegations supply a plausible basis on which to infer criminal intent. Accordingly, Upperline's motion to dismiss Plaintiff's ECPA claim based on § 2511(1)(a), (c), (d) is DENIED .
K. Count X, Violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2511(3)(a), and Count XI, Violation of the Stored Communications Act, 18 U.S.C. § 2702(a)(1) Section 2511(3)(a) of the ECPA prohibits the provider of an "electronic communication service" from divulging the content of communications transmitted on that service to third parties (i.e., anyone other than the addressee or the intended recipient). Section 2702(a)(1) of the Stored Communication Act ("SCA") [9] provides that, with certain exceptions, a person or entity providing either an electronic communication service or remote computing service to the public shall not "knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." § 2702(a)(1). For purposes of the ECPA and SCA, an "electronic communication service" is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications." Id . § 2510(15). In Counts X and XI, Plaintiff alleges Upperline divulged the contents of her communications on Upperline's Website to Facebook.
Upperline contends that it is a healthcare organization, not an electronic communication service provider, and thus cannot be liable under § 2511(3)(a) of the ECPA or the SCA. Plaintiff responds that Upperline fits within the definition because it "'provided'; i.e., made available, its website to the public." (Pl.'s Resp. at 29).
Upperline cannot plausibly be considered an electronic service provider within the meaning of the ECPA or SCA. Communication service providers include "internet service providers, electronic mail providers, telecommunications companies, and remote computing services." St. Johns Vein Ctr., Inc. v. StreamlineMD LLC , 347 F. Supp. 3d 1047, 1064 (M.D. Fla. 2018) (quoting IPC Sys., Inc. v. Garrigan , No. 1:11-cv-3910-AT, 2012 WL 12872028, at *9 (N.D. Ga. May 21, 2012) (noting courts that construe the definition of "electronic communications service" "have distinguished those entities that sell access to the internet from those that sell goods and services on the internet or otherwise make use of internet services to conduct their day to day business activities")). "[C]ompanies that merely purchase or use electronic communications services in the conduct of their ordinary business are not themselves electronic communications services." Kurowski v. Rush Sys. for Health , 659 F. Supp. 3d 931, 939–40 (N.D. Ill. 2023) (citing Gamer v. Amazon.com, Inc. , 603 F. Supp. 3d 985, 1003–04 (W.D. Wash. 2022) ("A company that merely utilizes electronic communications in the conduct of its own business is . . . not the provider of the service to the public.")). A healthcare organization like Upperline is not in the electronic communications business. Upperline's motion to dismiss Plaintiff's § 2511(3)(a) ECPA claim and its motion to dismiss Plaintiff's SCA claim are therefore GRANTED .
L. Count XII, Computer Fraud and Abuse Act The Computer Fraud and Abuse Act ("CFAA") applies to one who "intentionally accesses a computer without authorization or exceeds access, and thereby obtains . . . information from a protected computer." 18 U.S.C. § 1030(a)(2)(C). The statute defines the term "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." § 1030(e)(6). A "protected computer" is one "used in interstate or foreign commerce or communication." Id. § 1030(e)(2)(B). In Count XII, Plaintiff alleges Upperline "exceeded, and continues to exceed, authorized access to [her] . . . protected computer[] and obtained information thereby" and she suffered a loss "during any 1-year period" of "at least $5,000 in value" under id. § 1030(c)(4)(A)(i)(I). (SAC ¶¶ 342–43).
According to Upperline, Plaintiff has not sufficiently alleged that (1) it exceeded "authorized access" to her computer and that (2) she suffered any damage or loss. Plaintiff says her allegations are sufficient because she has alleged that Upperline "surreptitiously implemented pixel trackers on its website to disclose Plaintiff's Private Information to third parties" and has sufficiently alleged she suffered a loss. (Pl.'s Resp. at 30).
In Van Buren v. United States , the Supreme Court held that "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him." 593 U.S. 374, 396 (2021). The court agrees with Upperline; Plaintiff has not alleged that Upperline accessed "information located in particular areas" of her computer "that was off limits to [it]."
Turning to Upperline's second argument, the CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). Similarly, "loss" is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]" Id . at § 1030(e)(11). As the Supreme Court in Van Buren noted, "[t]he statutory definitions of 'damage' and 'loss' thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting 'damage' and 'loss' in this way makes sense in a scheme 'aimed at preventing the typical consequences of hacking.'" 593 U.S. at 391–92 (citation omitted). Thus, "[w]ithout a harm relating to computer impairment or computer damage, [Plaintiff's] allegations cannot constitute a 'loss' under the [CFAA]." Deck v. Courtney , No. 1:21-cv-01078-JPH-MJD, 2021 WL 3474043, at *2 (S.D. Ind. Aug. 6, 2021).
In her Response, Plaintiff argues she suffered "losses which aggregate to at least $5,000 in value, including monetary damages, loss of privacy, unauthorized disclosure of Private Information, decreased value of Private Information, lost benefit of the bargain, and increased risk of future harm resulting from further unauthorized disclosure of her information." (Pl.'s Resp. at 31 (citing SAC ¶¶ 206, 260, 343). But these damages are the damages she seeks for negligence (SAC ¶ 206) and breach of contract ( id. ¶ 260). For her CFAA claim, she alleges a loss of at least $5,000 "because of the secret transmission of [her] Private Information . . . which w[as] never intended for public consumption." ( ¶ 343). Whether the court considers her version of the loss actually suffered or limits the loss claimed in this CFAA count, the result is the same: Plaintiff has not alleged any harm or damage to her computer as a result of Upperline's tracking technology. Therefore, Plaintiff has not stated a plausible claim for a violation of CFAA and Upperline's motion to dismiss this claim is GRANTED .
IV. Conclusion
For the reasons set forth above, the court GRANTS in part and DENIES in part Defendant's Motion to Dismiss (Filing No. 90). The motion is GRANTED with respect to Counts I-VIII and X-XII and DENIED with respect to Count IX, Plaintiff's claim under § 2511 of the ECPA.
IT IS SO ORDERED this 8th day of August 2025.
s/RLY Distributed Electronically to Registered Counsel of Record.
[1] Upperline removed its Indiana-focused website sometime after April 23, 2023. (SAC ¶ 10 n.15). The URL, hppt://upperlinehealthindiana.com now redirects to http://www.upperlinehealth.com.
[2] Pursuant to the Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d et seq ., and its implementing regulations ("HIPAA"), "protected health information," or "PHI," is defined as "individually identifiable" information that is "created or received by a health care provider" and that "[r]elates to the past, present, or future physical or mental health or condition of an individual" or the "provision of health care to an individual." 45 C.F.R. § 160.103
[3] The Federal Trade Commission defines "identifying information" as "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person," including, among other things, "[n]ame, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number." 17 C.F.R. § 248.201(b)(8).
[4] McLaughlin and Johnson relied on Indiana's Model Jury Instruction 703(3) for the proposition that Indiana law allows for damages regarding the value of lost time. McLaughlin , 2024 WL 4274848, at *3; Johnson , 736 F. Supp. 3d at 648. Under Indiana law, lost-time damages are limited to lost earnings or income. In re General Motors LLC Ignition Switch Litig. , 339 F. Supp. 3d 262, 309, 313–14 (S.D.N.Y. 2018) (interpreting Indiana law and citing Indiana cases). Plaintiff's SAC does not alleged she has suffered lost earnings or lost income.
[5] The "increased risk of harm" language comes from the Seventh Circuit's standing analysis in Lewert v. P.F. Chang's China Bistro, Inc. , 819 F.3d 963, 967 (7th Cir. 2016).
[6] Section 5 of the FTCA prohibits "unfair . . . acts or practices in or affecting commerce." 15 U.S.C. § 45. "Unfair or deceptive acts" are further defined as those that: "(i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States." § 45(4)(A)(i–ii).
[7] The court takes no position on whether the FTCA lay out the "objective standards" which, if violated, could supply the standard for a negligence per se claim to proceed under Indiana law.
[8] Plaintiff cites paragraphs 161, 193 and 199 of her SAC as support, but those paragraphs say nothing about damages.
[9] The SCA was enacted in 1986 as part of the ECPA. IPC Sys., Inc. v. Garrigan , No. 1:11-cv- 3910-AT, 2012 WL 12872028, at *8 (N.D. Ga. May 21, 2012).